Americas

  • United States

Asia

Oceania

Josh Fruhlinger
Contributing writer

Social engineering: Definition, examples, and techniques

Feature
Feb 07, 202214 mins
PhishingSocial Engineering

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Train yourself to spot the signs.

puppet master
Credit: SvetaZi / Shutterstock

What is social engineering?

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data.

For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.

Famous hacker Kevin Mitnick helped popularize the term ‘social engineering’ in the ’90s, although the idea and many of the techniques have been around as long as there have been scam artists.

Even if you’ve got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building’s physical security, and you’ve invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).

How does social engineering work?

The phrase “social engineering” encompasses a wide range of behaviors, and what they all have in common is that they exploit certain universal human qualities: greed, curiosity, politeness, deference to authority, and so on. While some classic examples of social engineering take place in the “real world”—a man in a FedEx uniform bluffing his way into an office building, for example—much of our daily social interaction takes place online, and that’s where most social engineering attacks happen as well. For instance, you might not think of phishing or smishing as types of social engineering attacks, but both rely on tricking you—by pretending to be someone you trust or tempting you with something you want—into downloading malware onto your device.

This brings up another important point, which is that social engineering can represent a single step in a larger attack chain. A smishing text uses social dynamics to entice you with a free gift card, but once you tap the link and download malicious code, your attackers will be using their technical skills to gain control of your device and exploit it.

Social engineering examples

A good way to get a sense of what social engineering tactics you should look out for is to know about what’s been used in the past. We’ve got all the details in an extensive article on the subject, but for the moment let’s focus on three social engineering techniques — independent of technological platforms — that have been successful for scammers in a big way.

Offer something sweet. As any con artist will tell you, the easiest way to scam a mark is to exploit their own greed. This is the foundation of the classic Nigerian 419 scam, in which the scammer tries to convince the victim to help get supposedly ill-gotten cash out of their own country into a safe bank, offering a portion of the funds in exchange. These “Nigerian prince” emails have been a running joke for decades, but they’re still an effective social engineering technique that people fall for: in 2007 the treasurer of a sparsely populated Michigan county gave $1.2 million in public funds to such a scammer in the hopes of personally cashing in. Another common lure is the prospect of a new, better job, which apparently is something far too many of us want: in a hugely embarrassing 2011 breach, the security company RSA was compromised when at least two low-level employees opened a malware file attached to a phishing email with the file name “2011 recruitment plan.xls.”

Fake it till you make it. One of the simplest — and surprisingly most successful — social engineering techniques is to simply pretend to be your victim. In one of Kevin Mitnick’s legendary early scams, he got access to Digital Equipment Corporation’s OS development servers simply by calling the company, claiming to be one of their lead developers, and saying he was having trouble logging in; he was immediately rewarded with a new login and password. This all happened in 1979, and you’d think things would’ve improved since then, but you’d be wrong: in 2016, a hacker got control of a U.S. Department of Justice email address and used it to impersonate an employee, coaxing a help desk into handing over an access token for the DoJ intranet by saying it was his first week on the job and he didn’t know how anything worked.

Many organizations do have barriers meant to prevent these kinds of brazen impersonations, but they can often be circumvented fairly easily. When Hewlett-Packard hired private investigators to find out which HP board members were leaking info to the press in 2005, they were able to supply the PIs with the last four digits of their targets’ social security number — which AT&T’s tech support accepted as proof of ID before handing over detailed call logs.

Act like you’re in charge. Most of us are primed to respect authority — or, as it turns out, to respect people who act like they have the authority to do what they’re doing. You can exploit varying degrees of knowledge of a company’s internal processes to convince people that you have the right to be places or see things that you shouldn’t, or that a communication coming from you is really coming from someone they respect. For instance, in 2015 finance employees at Ubiquiti Networks wired millions of dollars in company money to scam artists who were impersonating company executives, probably using a lookalike URL in their email address. On the lower tech side, investigators working for British tabloids in the late ’00s and early ’10s often found ways to get access to victims’ voicemail accounts by pretending to be other employees of the phone company via sheer bluffing; for instance, one PI convinced Vodafone to reset actress Sienna Miller’s voicemail PIN by calling and claiming to be “John from credit control.”

Sometimes it’s external authorities whose demands we comply with without giving it much thought. Hillary Clinton campaign honcho John Podesta had his email hacked by Russian spies in 2016 when they sent him a phishing email disguised as a note from Google asking him to reset his password. By taking action that he thought would secure his account, he actually gave his login credentials away.

5 types of social engineering

  1. Phishing, as we noted above, which also includes text-based smishing and voice-based vishing These attacks are often low-effort but widely spread; for instance, a phisher might send out thousands of identical emails, hoping someone will be gullible enough to click on the attachment.
  2. Spear phishing, or whaling, is a “high-touch” variation of phishing for high-value targets. Attackers spend time researching their victim, who’s usually a high-status person with a lot of money they can be separated from, in order to craft unique and personalized scam communications.
  3. Baiting is a key part of all forms of phishing and other scams as well—there’s always something to tempt the victim, whether a text with a promise of a free gift card or something much more lucrative or salacious.
  4. Pretexting involves creating a story, or pretext, to convince someone to give up valuable information or access to some system or account. A pretexter might manage to find some of your personally identifying information and use it to trick you—for instance, if they know what bank you use, they might call you up and claim to be a customer service rep who needs to know your account number to help with a late payment. Or they could use the information to imitate you—this was the technique used by those HP PIs we discussed above.
  5. Business email frauds combine several of the above techniques. An attacker either gains control of a victim’s email address or manages to send emails that look like they’re from that address, then start sending emails to subordinates at work requesting the transfer of funds to accounts they control.

How to spot social engineering attacks

The security company Norton has done a pretty good job of outlining some red flags that could be a sign of a social engineering attack. These apply across social and technological techniques, and are good to keep in the back of your mind as you try to stay on guard:

  • Someone you know sends an unusual message: Stealing or mimicking someone’s online identity and then mining their social circles is relatively easy for a determined attacker, so if you get a message from a friend, relative, or coworker that seems off, be very sure you’re really talking to them before you act on it. It’s possible that your granddaughter really is on a vacation she didn’t tell you about and needs money, or that your boss really does wants you to wire a six-figure sum to a new supplier in Belarus, but that’s something for you to triple-check before you hit send.
  • A stranger is making an offer that’s too good to be true: Again, we all laugh at the Nigerian prince emails, but many of us still fall for scams that trick us by telling us we’re about to get something we never expected and never asked for. Whether it’s an email telling you won a lottery you didn’t enter or a text from a weird number offering you a free gift card just for paying your phone bill on time, if it feels too good to be true, it probably is.
  • Your emotions are heightened and you have to act now: Social engineering scammers play on strong emotions—fear, greed, empathy—to inculcate a sense of urgency specifically so you don’t stop to think twice about scenarios like the ones we just outlined. A particularly pernicious technique in this realm is a tech support scam, which preys on people who are already nervous about hacks but not very tech savvy: you hear from an aggressive person who claims to be from Google or Microsoft, tells you that your system has been compromised, and demands that you change your passwords right away—tricking you into revealing your credentials to them in the process.

How to avoid being a victim of social engineering

Fighting against all of these techniques requires vigilance and a zero-trust mindset. That can be difficult to inculcate in ordinary people; in the corporate world, security awareness training is the number one way to prevent employees from falling prey to high-stakes attacks. Employees should be aware that social engineering exists and be familiar with the most commonly used tactics.

Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is who they say they are.

But it isn’t just the average employee who needs to be aware of social engineering. As we saw, social engineers focus on high-value targets like CEOs and CFOs. Senior leadership often resists going to the trainings mandated for their employees, but they need to be aware of these attacks more than anyone.

5 tips for defending against social engineering

CSO contributor Dan Lohrmann offers the following advice:

  1. Train and train again when it comes to security awareness. Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyberthreats. Remember, this is not just about clicking on links.
  2. Provide a detailed briefing “roadshow” on the latest online fraud techniques to key staff. Yes, include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who get fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
  3. Review existing processes, procedures, and separation of duties for financial transfers and other important transactions. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
  4. Consider new policies related to “out of band” transactions or urgent executive requests. An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well-understood by all.
  5. Review, refine and test your incident management and phishing reporting systems. Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.

ISACA’s latest report State of Security 2021, Part 2 (a survey of almost 3,700 global cybersecurity professionals) discovered that social engineering is the leading cause of compromises experienced by organizations, while PhishLabs’ Quarterly Threat Trends and Intelligence Report revealed a 22% increase in the volume of phishing attacks in the first half of this year compared to the same period in 2020. Recent research by Gemini has also illustrated how cyber-criminals use social engineering techniques to bypass specific security protocols such as 3D Secure to commit payment fraud.

Social engineering attack trends are often cyclical, typically coming and going with regularity. For Nader Henein, research vice president at Gartner, a significant trend is that social engineering has become a standard element of larger attack toolboxes, being deployed in combination with other tools against organizations and individuals in a professional and repeatable approach. “Much of these capabilities, be it phishing or the use of deepfakes to convince or coerce targets, are being delivered in combination as-a-service, with service level agreements and support.” As a result, social engineering awareness and subsequent testing is increasingly required and present within security training at most organizations, he adds.

Jack Chapman, vice president of threat intelligence at Egress, points to a recent rise in “missed messaging” social engineering attacks. “This involves spoofing the account of a senior employee; the attacker will send a more junior colleague an email requesting that they send over a piece of completed work, such as a report,” he tells CSO.

To create additional pressure, the attacker will mention that the report was first requested in a fictional previous email, leading the recipient to believe that they’ve missed an email and haven’t completed an important task. “This is a highly effective way of generating urgency to respond, particularly in a remote work environment,” says Chapman. Furthermore, attackers are increasingly exploiting flattery to encourage recipients to click their malicious links. “A surprising trend we’ve seen is hackers sending birthday cards. Attackers can use OSINT to find out when their victim’s birthday is and send a link to ‘view a birthday e-card’ that is actually a weaponized phishing link. Often, the recipient doesn’t suspect a phishing attack because they’re too busy being flattered to have received a card on their birthday.”

According to Neosec CISO Renan Feldman, most social engineering attacks today leverage exposed APIs. “Most attackers are seeking access to those APIs rather than access to a device or a network, because in today’s world the business runs on application platforms. Moreover, breaching an API is much easier than penetrating an enterprise network and moving laterally to take over most or all key assets in it. Thus, over the next couple of years, it’s likely we will see a rise in single extortion via APIs. With more and more business data moving to APIs, organizations are tightening their anti-ransomware controls.”

Social engineering resources

A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.

Also worth checking out is social-engineer.org’s Social Engineering Toolkit, which is a free download. The toolkit helps automate penetration testing via social engineering, including spear phishing attacks, creation of legitimate-looking websites, USB drive-based attacks, and more.

Another good resource is The Social Engineering Framework.

Currently, the best defense against social engineering attacks is user education and layers of technological defenses to better detect and respond to attacks. Detection of key words in emails or phone calls can be used to weed out potential attacks, but even those technologies will probably be ineffective in stopping skilled social engineers.